[kernel] r8377 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Mar 20 08:07:57 UTC 2007
Author: dannf
Date: Tue Mar 20 07:07:56 2007
New Revision: 8377
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/aio-fix-nr_pages-init.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* aio-fix-nr_pages-init.dpatch
[SECURITY] Fix initialization of info->nr_pages in aio_setup_ring() to
avoid a race that can lead to a system crash
See CVE-2006-5754
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Tue Mar 20 07:07:56 2007
@@ -28,8 +28,12 @@
[SECURITY] Fix userspace corruption vulnerability caused by
incorrectly promoted return values in bad_inode_ops
See CVE-2006-5753
+ * aio-fix-nr_pages-init.dpatch
+ [SECURITY] Fix initialization of info->nr_pages in aio_setup_ring() to
+ avoid a race that can lead to a system crash
+ See CVE-2006-5754
- -- dann frazier <dannf at debian.org> Tue, 20 Mar 2007 00:47:10 -0600
+ -- dann frazier <dannf at debian.org> Tue, 20 Mar 2007 01:05:01 -0600
kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/aio-fix-nr_pages-init.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/aio-fix-nr_pages-init.dpatch Tue Mar 20 07:07:56 2007
@@ -0,0 +1,34 @@
+
+#### ChangeSet ####
+2004-11-07 10:22:27-08:00, torvalds at ppc970.osdl.org
+ aio: remove incorrect initialization of "nr_pages"
+
+ We should not claim to have filled in the ring_pages[] array
+ until we actually _do_ fill it in. It will confuse the code
+ that frees the structure if we claim there are pages there
+ that don't exist.
+
+ Noted by Darrick Wong.
+
+==== fs/aio.c ====
+2004-11-07 10:22:21-08:00, torvalds at ppc970.osdl.org +0 -2
+ aio: remove incorrect initialization of "nr_pages"
+
+ We should not claim to have filled in the ring_pages[] array
+ until we actually _do_ fill it in. It will confuse the code
+ that frees the structure if we claim there are pages there
+ that don't exist.
+
+ Noted by Darrick Wong.
+
+--- 1.60/fs/aio.c 2004-10-20 01:12:10 -07:00
++++ 1.61/fs/aio.c 2004-11-07 10:22:21 -08:00
+@@ -118,8 +118,6 @@ static int aio_setup_ring(struct kioctx
+ if (nr_pages < 0)
+ return -EINVAL;
+
+- info->nr_pages = nr_pages;
+-
+ nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
+
+ info->nr = 0;
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7 Tue Mar 20 07:07:56 2007
@@ -5,3 +5,4 @@
+ smbfs-honor-mount-opts-2.dpatch
+ bluetooth-capi-size-checks.dpatch
+ listxattr-mem-corruption.dpatch
++ aio-fix-nr_pages-init.dpatch
More information about the Kernel-svn-changes
mailing list